You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Backdoor.sdbot.bed1623b

This virus/worm/trojan was identified by Bitdefender which I am currently running. It is being blocked by this AV and Sygate my firewall. I have run XofTSpySE in Safe Mode to remove it and it does appear to remove files only to have taskmg.exe pop up as soon as I boot back in normal mode. The problem is none of the AV tools seem to detect much of it when scanning. And if they do I and quarantine.. it just comes back. I have tried going through the registry to look for names of entries to delete but have not found a good match I felt comfortable in deleting. I ran this Hijack b/c I saw other do the same. I feel the virus is in my registry and I just cant seem to find what needs to be deleted. I am an intermediate user so please be patient if/when providing instructions. I truly appreciate any direction. I also tried to delete Taskmg.exe but it would not let me. I also found pcdoctor in one of my directories which when clicking turned two other files on drsmartload and another which I can not remember. All for now as this has gotten longer than I intended.

BC AdBot (Login to Remove)

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you.

You are using an outdated version of Hijackthis.Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.

Doubleclick on the HJTsetup.exe icon on your desktop.

By default it will install to C:\Program Files\Hijack This.

Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.

Put a check by Create a desktop icon then click Next again.

Continue to follow the rest of the prompts from there.

At the final dialogue box click Finish and it will launch Hijack This.

Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and Paste the log in your next reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

Sam thanks for your reply. I was going to perform the tasks you suggested only to go home and find out that I am totally blocked from accesing the internet. I spent well over an hour with a technician in India from my cable company who tried everything he could think of and finally said that I can a good connection to their system but, the problem was between the modem and my computer. My son had called me at work say that Bitdefender popup came up with a virus detection while he was IM'ng and then the system locked up. Could this be related? I ran bitdefender, grisoft AVG, Search and Destroy and Xoftspy and nothing came up.

I have dl the newest version of HJT and will take home and install. Since I do not have internet access at home and in the interest of time, are there any other dl's I will need? I should be able to post log tommorrow. I also dowloaded Adware SE and will run tonight. Sorry, if this post breaks protocol - just want to keep you informed of the latest.

I see you have Bit Defender and AVG installed and running as antivirus programs. It's not recommended to run more than one antivirus at a time. I would suggest that you uninstall one of them and only keep one to use.

Post a hijackthis log when you can and we'll work through it.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

OK here is the log... thanks Sam for the tips for my internet. Still no dice. I know it's not the modem or my ethernet card as I tried with another computer. Something is blocking the actual connection it appears. This morning Bitfender popped up with Trojan.Reg.Secdrop.6ev and the file listed was n:\wasrendr\system volume information\_restore{47465380-a311-4d628f6f-e90efe The wasrendr directory was one I had created to dump some files from an old system. I do have two hd on my computer if that is important. Feel free to email me at Ricardo_moreno@uhc.com today during business hours as you know I have no internet access or rmoreno01@earthlink.net after hours and for this weekend. I'll try to go somewhere to access so I'm not out all weekend if possible. I just looked at your message again and saw the other program you suggested I dl and about the AV ... not sure how I missed it. Will try the prog tonight and uninstall Grisoft and leave Bitdefender... I have also noticed my Sysgate Firewall not launching... hummmm

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

OK my Cybersitter was totally gone.. not loading could not find it. Reinstalled it. and uninstalled firewall. Ran the winsock prog and no luck with internet. Brought up basement pc and am connected through same router. Before unistalling Sygate I tried to launch from start menu and would not do so. When installing Cybersitter BitDefender popped up with C:\windows\system32\~glh0007-temp Trojan.kaodilos.A

My restore function was off when I checked. Turned back on but did not create a new restore point. Thought I'd be perpetuating this thing if I did... since it was already off how do i flush the restore points?here is the log

You should see a list of files on the left hand side. Let me know if you see anything listed on the right, but do not proceed yet.

If the box on the right is empty, simply click Finish>>.

Reboot and check your connection.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

Ran the program and on the right under "Remove" was lspcs.dll. I closed the program and did not click finish as you stated. As for the other drive "N" it is a second backup hard drive. Slave to the main. Since you said consider infected should I run Bitdefender specifically on it or any of the other programs I've dld"? Thanks so much for your advice.

Ran a scan on N and came up with Trojan/CWS Combo and it pointed to C:Windows\Cyb2k.exe which is similar to the cybersitter program info. However, we I go to the Control Panel to remove the Cybersitter program does not appear. All for now...

Ran the program and on the right under "Remove" was lspcs.dll. I closed the program and did not click finish as you stated. As for the other drive "N" it is a second backup hard drive. Slave to the main. Since you said consider infected should I run Bitdefender specifically on it or any of the other programs I've dld"? Thanks so much for your advice.

Go ahead and open LSPFix and click the Finish button. Then reboot and check your connection.

It sounds like Bit Defender doesn't like Cybersitter and has removed part of it. I don't know if it's a false positive or Cybersitter actually became infected. I'm guessing it's a false positive.

Post a new hijackthis log and let me know about your connection.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

Clicked on finish to fix the connection. But still nothing it shows my ip addy as 169.254.186.81 which when i spoke with the cable guy he said that was not right.. It says it can not renew my ip address. Also I uninstalled Cybersitter

One more thing. When deleting all files related to Cyber siter, there was one I could not removeon L:CYBERsitter.v9.5.5.16\ac-c556a\setup\setup2k.exe. When trying to do so Trojan.Kaodilos alert came up. I also dl Ewido as a saw you suggested elsewhere. It came up with Trojan.Downloader.Adload.BY pointing to C:documents and settings\localservice\localsettings\temporary internet files\content ie5\shiv89an\gamesforall{1}.zip=>(RAR Sfx o)=>winupdate.exe

Bit defender appears to identify location of Trajan in several places. I have deleted all tem internet files.

More work... read the run ewido in safe mode here is the report and where it says no action taken I did quarantine. However, it said at one point it could not do so because it was imbedded and asked if I wanted to quartine the whole entry .. said yes

Are you sure the program has been uninstalled? If so, go ahead and delete this file.

C:\WINDOWS\Cyb2k.exe

Any connection yet?

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!